Opened 17 years ago
Closed 16 years ago
#5760 closed (wontfix)
Use keyed hashing for session data, remove duplicate code
| Reported by: | Owned by: | nobody | |
|---|---|---|---|
| Component: | contrib.sessions | Version: | 0.96 |
| Severity: | Keywords: | ||
| Cc: | Triage Stage: | Unreviewed | |
| Has patch: | yes | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
Use hmac instead of md5 to create a digest of session data. Using hmac is probably more secure than the home built md5 implementation. Also, the current implementation uses hexdigest() when digest() is just fine.
While replacing the hash, extract the digest code to a new function to remove duplicate code.
Issues:
- Old session will be invalidated with this patch
Attachments (1)
Change History (2)
by , 17 years ago
| Attachment: | session.patch added |
|---|
comment:1 by , 16 years ago
| Resolution: | → wontfix |
|---|---|
| Status: | new → closed |
I don't think the churn is worth it here, since invalidating existing sessions is a little annoying. If somebody constructs a string that collides with our MD5 hash, there's not a lot they can do, since they really need the right string to be able to work out what's in the session. MD5 is vulnerable to collisions, not reverse-engineering.
Note:
See TracTickets
for help on using tickets.
patch